The GDPR and Cyber Security
With the new year in full swing, thousands of organizations worldwide are realizing that May 25th 2018 is looming closer and closer. This is the date thousands of organizations worldwide have set in stone as the deadline to comply with the new General Data Protection Regulation (GDPR). These privacy regulations — the first set of new regulations from the EU since the pre-Internet (read: Stone Age) 1995 Data Protection Directive — bring a host of privacy rules that not only apply to businesses and organizations operating within the EU, but also those businesses and organizations from other countries and territories that do business within the EU.
Several of the main directives to be familiar with include:
- Data required is for the “stated purpose” is collected.
- Data is held securely within the EU.
- Data is only accessed by authorized persons.
- Data is accurate and can be verified by the individual.
- Any data transfers that need to be made outside the EU must adhere to strict controls, whereby only approved data stores and access methods can be used, even if it’s within the same organization.
- Any breach of the key rules designed to protect the individual’s data must be reported within 72 hours to the EU State Regulator.
- The organization must demonstrate principles such as transparency and accountability, particularly how the GDPR has been adhered to (for example by demonstrating training programs).
- Organizations must practice “privacy by design” which is the concept of building-in privacy protections at the design stage and all throughout completion of products, goods and services.
A primary focus of the GDPR — which won’t come as a surprise since we’re talking about individuals’ privacy — is how organizations must protect such privacy from data breaches. This is where the GDPR collides with current cybersecurity issues. We have all seen examplesof massive data breaches in the news over the past few years. Reports about major companies experiencing breaches have been heard weekly (and at times, even daily). Data breaches have become so commonplace, they are almost old news as soon as they are reported.In fact, some organizations have become complacent about breaches and fail to make cybersecurity a priority. In more extreme cases, there have been company executives who were aware of a breach, but waited a full year before notifying the public. For example, hackers had stolen 57 million Uber driver and rider accounts a year before the company disclosed the breach. According to Fortune magazine, under the GDPR, Uber would have broken at least three GDPR rules: not properly protecting the data, not telling regulators about the hack, and not informing its customers until a year later. This is just one example of many large-scale breaches within major companies that were mishandled.
Extremely sophisticated hackers realize that the weakest cybersecurity link is often humans and exploit that vulnerability. This is why countless businesses from entrepreneurs to corporations of all sizes are being hit daily with phishing attacks that have the potential to compromise millions of people’s data.
The main directives outlined in the GDPR are letting everyone know it means business: it will carry fines of up to 4% of global annual revenues for companies that fail to comply. This is a massive game-changer and seeks to ensure privacy regulation and vigilant protection of personally identifiable data.
Want to learn more about GDPR and theTechGuard® S.H.I.E.L.D™Security Awareness Training Solution?
TechGuard® S.H.I.E.L.D™offers GDPR and Security Awareness training to keep you and your organization informed and prepared. Talk to one of our Cybersecurity Experts and request a free demo today.